CVE-2022-36100

XWiki Platform Applications Tag and XWiki Platform Tag UI are tag applications for XWiki, a generic wiki platform. Starting with version 1.7 in XWiki Platform Applications Tag and prior to 13.10.6 and 14.4 in XWiki Platform Tag UI, the tags document `Main.Tags` in XWiki didn't sanitize user inputs properly. This allowed users with view rights on the document (default in a public wiki or for authenticated users on private wikis) to execute arbitrary Groovy, Python and Velocity code with programming rights. This also allowed bypassing all rights checks and thus both modification and disclosure of all content stored in the XWiki installation. The vulnerability could be used to impact the availability of the wiki. On XWiki versions before 13.10.4 and 14.2, this can be combined with CVE-2022-36092, meaning that no rights are required to perform the attack. The vulnerability has been patched in versions 13.10.6 and 14.4. As a workaround, the patch that fixes the issue can be manually applied to the document `Main.Tags` or the updated version of that document can be imported from version 14.4 of xwiki-platform-tag-ui using the import feature in the administration UI on XWiki 10.9 and later.

XWiki Platform Applications Tag and XWiki Platform Tag UI are tag applications for XWiki, a generic wiki platform. Starting with version 1.7 in XWiki Platform Applications Tag and prior to 13.10.6 and 14.4 in XWiki Platform Tag UI, the tags document `Main.Tags` in XWiki didn't sanitize user inputs properly. This allowed users with view rights on the document (default in a public wiki or for authenticated users on private wikis) to execute arbitrary Groovy, Python and Velocity code with programming rights. This also allowed bypassing all rights checks and thus both modification and disclosure of all content stored in the XWiki installation. The vulnerability could be used to impact the availability of the wiki. On XWiki versions before 13.10.4 and 14.2, this can be combined with CVE-2022-36092, meaning that no rights are required to perform the attack. The vulnerability has been patched in versions 13.10.6 and 14.4. As a workaround, the patch that fixes the issue can be manually applied to the document `Main.Tags` or the updated version of that document can be imported from version 14.4 of xwiki-platform-tag-ui using the import feature in the administration UI on XWiki 10.9 and later.

### Impact The tags document `Main.Tags` in XWiki didn't sanitize user inputs properly, allowing users with view rights on the document (default in a public wiki or for authenticated users on private wikis) to execute arbitrary Groovy, Python and Velocity code with programming rights. This allows bypassing all rights checks and thus both modification and disclosure of all content stored in the XWiki installation. Also, this could be used to impact the availability of the wiki. Some versions of XWiki XML-escaped the tag (e.g., version 3.1) but this isn't a serious limitation as string literals can be delimited by `/` in Groovy and `<` and `>` aren't necessary, e.g., to elevate privileges of the current user. On XWiki versions before 13.10.4 and 14.2, this can be combined with the [authentication bypass using the login action](https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8h89-34w2-jpfm), meaning that no rights are required to perform the attack. The following URL demonstrates the attack: `<server>/xwiki/bin/login/Main/Tags?xpage=view&do=viewTag&tag=%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22hello+from+groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D`, where `<server>` is the URL of the XWiki installations. On current versions (e.g, 14.3), the issue can be exploited by requesting the URL `<server>/xwiki/bin/view/Main/Tags?do=viewTag&tag=%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D`, where `<server>` is the URL of the server. On XWiki 2.0 (that contains version 1.7 of the tag application), the URL `<server>/xwiki/bin/view/Main/Tags?do=viewTag&tag={{/html}}{{groovy}}println(%2Fhello from groovy!%2F){{%2Fgroovy}}` demonstrates the exploit while on XWiki 3.1 the following URL demonstrates the exploit: `<server>/xwiki/bin/view/Main/Tags?do=viewTag&tag={{/html}}{{footnote}}{{groovy}}println(%2Fhello%20from%20groovy!%2F){{%2Fgroovy}}{{/footnote}}`. ### Patches This has been patched in the supported versions 13.10.6 and 14.4. ### Workarounds The [patch that fixes the issue](https://github.com/xwiki/xwiki-platform/commit/604868033ebd191cf2d1e94db336f0c4d9096427) can be manually applied to the document `Main.Tags` or the updated version of that document can be imported from [version 14.4 of xwiki-platform-tag-ui](https://nexus.xwiki.org/nexus/content/groups/public/org/xwiki/platform/xwiki-platform-tag-ui/14.4/xwiki-platform-tag-ui-14.4.xar) using [the import feature in the administration UI](https://extensions.xwiki.org/xwiki/bin/view/Extension/Administration%20Application#HImport) on XWiki 10.9 and later (earlier versions might not be compatible with the current version of the document). ### References * https://github.com/xwiki/xwiki-platform/commit/604868033ebd191cf2d1e94db336f0c4d9096427 * https://jira.xwiki.org/browse/XWIKI-19747 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)

### Impact The tags document `Main.Tags` in XWiki didn't sanitize user inputs properly, allowing users with view rights on the document (default in a public wiki or for authenticated users on private wikis) to execute arbitrary Groovy, Python and Velocity code with programming rights. This allows bypassing all rights checks and thus both modification and disclosure of all content stored in the XWiki installation. Also, this could be used to impact the availability of the wiki. Some versions of XWiki XML-escaped the tag (e.g., version 3.1) but this isn't a serious limitation as string literals can be delimited by `/` in Groovy and `<` and `>` aren't necessary, e.g., to elevate privileges of the current user. On XWiki versions before 13.10.4 and 14.2, this can be combined with the [authentication bypass using the login action](https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8h89-34w2-jpfm), meaning that no rights are required to perform the attack. The following URL demonstrates the attack: `<server>/xwiki/bin/login/Main/Tags?xpage=view&do=viewTag&tag=%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22hello+from+groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D`, where `<server>` is the URL of the XWiki installations. On current versions (e.g, 14.3), the issue can be exploited by requesting the URL `<server>/xwiki/bin/view/Main/Tags?do=viewTag&tag=%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D`, where `<server>` is the URL of the server. On XWiki 2.0 (that contains version 1.7 of the tag application), the URL `<server>/xwiki/bin/view/Main/Tags?do=viewTag&tag={{/html}}{{groovy}}println(%2Fhello from groovy!%2F){{%2Fgroovy}}` demonstrates the exploit while on XWiki 3.1 the following URL demonstrates the exploit: `<server>/xwiki/bin/view/Main/Tags?do=viewTag&tag={{/html}}{{footnote}}{{groovy}}println(%2Fhello%20from%20groovy!%2F){{%2Fgroovy}}{{/footnote}}`. ### Patches This has been patched in the supported versions 13.10.6 and 14.4. ### Workarounds The [patch that fixes the issue](https://github.com/xwiki/xwiki-platform/commit/604868033ebd191cf2d1e94db336f0c4d9096427) can be manually applied to the document `Main.Tags` or the updated version of that document can be imported from [version 14.4 of xwiki-platform-tag-ui](https://nexus.xwiki.org/nexus/content/groups/public/org/xwiki/platform/xwiki-platform-tag-ui/14.4/xwiki-platform-tag-ui-14.4.xar) using [the import feature in the administration UI](https://extensions.xwiki.org/xwiki/bin/view/Extension/Administration%20Application#HImport) on XWiki 10.9 and later (earlier versions might not be compatible with the current version of the document). ### References * https://github.com/xwiki/xwiki-platform/commit/604868033ebd191cf2d1e94db336f0c4d9096427 * https://jira.xwiki.org/browse/XWIKI-19747 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)

XWiki Platform Applications Tag y XWiki Platform Tag UI son aplicaciones de etiquetas para XWiki, una plataforma wiki genérica.&#xa0;A partir de la versión 1.7 en XWiki Platform Applications Tag y anteriores a 13.10.6 y 14.4 en XWiki Platform Tag UI, el documento de etiquetas "Main.Tags" en XWiki no saneaba apropiadamente las entradas del usuario.&#xa0;Esto permitió a usuarios con derechos de visualización en el documento (predeterminado en un wiki público o para usuarios autenticados en wikis privados) ejecutar código Groovy, Python y Velocity arbitrario con derechos de programación.&#xa0;Esto también permitió omitir todas las verificaciones de derechos y, por lo tanto, la modificación y divulgación de todo el contenido almacenado en la instalación de XWiki.&#xa0;La vulnerabilidad podría usarse para afectar la disponibilidad de la wiki.&#xa0;En XWiki versiones anteriores a 13.10.4 y la 14.2, esto puede combinarse con CVE-2022-36092,&#xa0;lo que significa que no son requeridos derechos para realizar el ataque.&#xa0;La vulnerabilidad ha sido parcheada en versiones 13.10.6 y 14.4.&#xa0;Como mitigación, el parche que corrige el problema puede aplicarse manualmente al documento "Main.Tags" o la versión actualizada de ese documento puede importarse desde la versión 14.4 de xwiki-platform-tag-ui usando la funcionalidad import en la Interfaz de Usuario de administración en XWiki versión 10.9 y posterior